Installing Kerberos on Windows for use with PuTTY

Intended for:

Kerberos users and system administrators.

Scenario/Use case:

This article provides instructions on how to install and configure the Kerberos software on your Windows system. This software, when used with the PuTTY ssh client, allows you to authenticate to Kerberos, open Kerberized connections to remote machines, and encrypt your data transmissions. This article also provides information on setting up PuTTY with your yubikey.

Note that while the configuration described in this article complies with the Fermilab Policy on Computing and some divisions are recommending and supporting it, it is not formally supported by the Computing Sector.

Instructions:

Getting Ready 

Obtain a Kerberos Principal

First, verify that you have administrator privileges on the PC. Next, you need to obtain a Kerberos principal and initial password for the FNAL.GOV realm. Use the ServiceNow form Computing Username and Primary Accounts to request an account if needed.

Installing MIT Kerberos for Windows

MIT KfW V4.1 is the version recommended (it is nearly the same as that installed on all the FERMI Domain Windows machines).

1. Log into an account with administrator privileges.
2. Download the Kerberos client software from MIT.
   1.  This brings you to the MIT Kerberos Distribution Page. Under MIT Kerberos for Windows 4.1, click on the file listed next to 64-bit MSI Installer to download msi file.
3. Once this msi file is downloaded to your machine, execute it to install the Kerberos program.
   1. You will be asked a series of questions, but you can safely use the defaults, and just click through the screens. Checking the time synchronization when prompted is a good idea.
   2. The software gets installed under C:\Program Files\MIT\Kerberos by default.
4. After installing the files, it will ask if it's OK to restart your computer. Say yes. 

Installing PuTTY

Grab the latest releases from github found here. Use the appropriate install method. This installed under C:\Program Files\PuTTY by default.

Getting a Ticket

The Ticket Manager can manage multiple identities including renewing credentials as needed. Ticket Manager lives in the taskbar notification area (lower right side of screen, the one with the silhouette of a K). Note, the following details for configuring and using MIT Kerberos for Windows v4 and may differ from other versions and NetIdMgr.

1. Open the taskbar notification area and right-click on the Ticket Manager and select Open MIT Kerberos Window.
2. Select Get Ticket.
3. Enter the principal name (user@FERMI.WIN.FNAL.GOV or user@FNAL.GOV) and the password for that principal. Ensure that the options for "Remember this Principal," "Forwardable and Proxiable," and "Renewable" are selected. Click OK.

To avoid MIT Ticket Manager, you can open the command prompt, or terminal, and type kinit to request a ticket. You will be required to enter your Kerberos password. To verify the ticket and its flags, type klist -f at the command prompt.

Configuring the PuTTY Application

Create a new SSH Profile Session for Kerberized Host

You should create one profile for each Kerberized host you wish to access.

1. Start the PuTTY application. The PuTTY Configuration window will appear.
2. In the Session section, type your destination IP in the Host Name box as well as the hostname in Saved Sessions.
3. Click Save for future use. To use a saved session later you will click on the session name in the Saved Sessions list to select and then click Load and then Open.

Setup Kerberos Settings

1.  Start the PuTTY application. The PuTTY Configuration window will appear.
   1.  Make sure to load a previously saved session by clicking on the machine name in the list under Saved Sessions and click Load
2.  Open the Connection > SSH > Auth > GSSAPI section.
3.  Check the box to Allow GSSAPI credential delegation.
4.  Click Browse... under User-supplied GSSAPI library path and find C:\Program Files\MIT\Kerberos\bin\gssapi64.dll 
5.  Scroll back up to Session and click Save for future use.

Connect to Kerberized Host using Yubikey

1. Plug in your yubikey device into your machine
   1.  This is needed to load your certificate onto the machine.
2. Start the PuTTY application. The PuTTY Configuration window will appear.
3. In the Session section, load a previously saved session, by clicking on the machine name in the list under Saved Sessions and click Load
   1.  A new session can also be created is the already created session does not need yubikey setup
4. Open the Connection > SSH > Certificate section
   1.  If you do not see this section in your PuTTY window, go back and make sure you have the newest version installed
5. Check the box to Attempt certificate / key authentication
6. Click Set CAPI Cert... under Authentication parameters and your certificate information will pop up
   1.  If you do not see your username from FERMI Sub CA, you may have more than one certificate on your machine. Click More choices to find your correct certificate
7. Scroll back up to Session and click Save for future use.

Finding Authorized Keys Information

This information is needed for the Administrator to add information to the machine you are connecting to.

1. Start the PuTTY application. The PuTTY Configuration window will appear.
   1.  Make sure to load a previously saved session setup with your certificate by clicking on the machine name in the list under Saved Sessions and click Load
2. Open the Connection > SSH > Certificate section
3. Click Copy To Clipboard
4. Give copied information to Administrator
   1.  The Administrator should add this copied information into /home/user/.ssh/authorized_keys
      1.  Replace user with actual username of person

See Also:

• Strong Authentication at Fermilab